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Abstract. Based on the analysis of 6-digit one-time passwords(OTP) generated by DIGI¬ 
PASS G03 we were able to reconstruct the synchronisation system of the token, the OTP 
generating algorithm and the verification protocol in details essential for an attack. The OTPs 
are more predictable than expected. A forgery attack is described. We argue the attack suc¬ 
cess probability is 8 -J . That is much higher than 10~ 6 which may be expected if all the digits 
are independent and uniformly distributed. Under natural assumptions even in a relatively 
small bank or company with 10 4 customers the number of compromised accounts during a 
year may be more than 100. 


1 Introduction 

The remote authentication is commonly multi-way. It is based on a combination of the customer’s 
identifier, his static password and a dynamic one-time password(OTP) generated by a security 
token, or read from a one-time password card, or communicated by a mobile device. Static passwords 
are at least theoretically may be tapped by a malicious software like trojans with keystroke logging 
for example, and used for an attack at some later point. Therefore the authentication security 
is largely based on the security of the one-time password. Theoretically, the latter is insecure if 
the next one-time password may be predicted with non-negligible probability given a number of 
previous one-time passwords. For instance, 6-digit password may be predicted with probability 1CV 6 
anyway. If it is possible to predict with a significantly larger probability, then there is an internal 
weakness in the generator or in the verification protocol. The number of attempted wrong log-ins 
is usually bounded. In practical terms that makes the implementation of the attack more difficult, 
but does not make that impossible. 

DIGIPASS is a one-time password generator manufactured by VASCO [T). In what follows we 
study 6-digit combinations produced by DIGIPASS G03. According to Q], the token is used by lots 
of customers all over the world, for instance, in Norway, Belgium, Ireland, United Kingdom, Nether¬ 
lands, Denmark, Saudi Arabia, South Africa etc. It is used in Norwegian banks as Sparebanken Vest, 
as described in Sect. [1] and DNB NOR. The latter is one of the largest banks in Norway with 2.3 
millions of retail customers and 198000 corporate customers. The device uses strong crypto algo¬ 
rithms as DES, TDES and AES and supports event and time based authentication. The detailed 
description of the algorithm was not published. 

Based on the experiments with the token, we show 6-digit combinations from DIGIPASS G03 
are dependent and more predictable than expected. The left most digit is used for synchronisation: 
it indicates a time interval where the token was pressed to generate the OTP. The left most digit of 
the current OTP depends on the left most digit of the previous OTP and the time t elapsed since 
the previous OTP was generated. The left most digit is predictable with probability almost 1 if t. 


is close to a multiple of 64 seconds. Also we found the token may generate the same combination 
if 50 < t < 64 seconds and the probability of that depends on t. The last 5 digits of the 6-digit 
combination are not uniformly distributed: the digits 0,1,2, 3,4, 5 appear with probability 1/8, 
while 6, 7, 8,9 appear with probability 1/16. 

We were able to reconstruct the synchronisation system of the token, the OTP generating al¬ 
gorithm and the verification protocol, see Sect. 12.51 and Sect. 12.61 in details essential for an attack. 
Our reconstruction fits well with the experimental data. In particular, it explains the OTP rep¬ 
etition and the token synchronisation. Though the algorithm implemented in DIGIPASS G03 is 
somewhat similar to that published in [3] and described in Sect. [5j there is a difference. Due to 
the synchronisation provided by the left most digit, the verifier needs only one OTP comparison to 
authenticate the token. 

A forgery attack is described in Sect. [3] The left most digit does not affect the security of the 
authentication. Therefore, the probability of one forged authentication is 8 -5 instead of 10~ 6 as 
one may expect. 

The attack may be automated and applied against any number of customers which use the 
token. We study the effect of the attack under natural assumptions that customer identifiers and 
static passwords are known to the adversary who may use malicious software as trojans etc to 
procure them, see for instance |4[. Also we assume the adversary is able to attack after each time 
the customer uses the token for authentication. Under those assumptions even in a relatively small 
bank or company with 10 4 customers the number of compromised accounts during a year may be 
more than 100. 


2 Experimental Study of OTPs by DIGIPASS G03 

The experiments were produced by pressing the token and the stopwatch simultaneously at some 
time steps. A very little fluctuation between the real pressing time and that indicated in the tables 
below is possible. The data in the tables was produced by the same DIGIPASS G03 token. Some 
of the experiments were repeated for other tokens with similar results. 

The customer presses the token to generate an OTP. During the next 40 seconds this OTP is 
kept on the screen and then disappears. If one then presses the token in time between 40 and 50 
seconds the same OTP reappears. If one presses in > 50 seconds a new OTP is generated. The 
OTP may repeat if the token is pressed in between 50 and 64 seconds again as described in the 
next Sect. 12.11 

2.1 OTPs at time steps within [0 : 50+, 1 : 03+) 

Tables fnUTRl present 6-digit combinations produced at time step t (format minrsec), where 0 : 50 < 
t < 0 : 51 (denoted t = 0 : 50+, Tabled, 0 : 51 < t < 0 : 52 (denoted t = 0 : 51+, Tabled and so 
on. 

For instance, 29 combinations in Table [5] were produced at time step t = 0 : 50+. The first 
OTP 240445 indicates starting time 0 : 00.00, the next 302168 was generated after 50.35 sec, 
the next 498773 was generated after another 50.41 sec and so on. Surprisingly, the DIGIPASS 
happens to repeat the combination. For instance, 642055 repeats after 0 : 50+ seconds again etc. 
That does not seem affect the security of the authentication as the server(veriher) does not accept 
repeated combination as correct. The sequence of 6-digit combinations in the tables may be split 
into intervals, each interval ends with a repeated 6-digit combination. For t = 0 : 50+ the length 



of the intervals is 4 or 5. The right most column in the tables contains a sequence of differences 
modulo 10 between the left most digits in subsequent 6-digit combinations. That is called a pattern 
of the sequence. The pattern may be split into intervals accordingly. 

For t = 0 : 51+ the length of the intervals is 5 or 6. For t = 0 : 52+ the length of the intervals 
is 5 or 6 again but the pattern is different. For t = 0 : 53+ the length of the intervals is 6 or 7 and 
so on. Finally, for t = 1 : 03+ the length of an interval may be larger than 67. 

So when pressing at time step t within [0 : 50+, 1 : 03+) the first digit of the combination 
increases by 1 or is the same and the whole combination repeats. The pattern changes when t changes 
every second. In particular, the probability that 0 appears in the pattern is steadily decreasing while 
the time step is increasing by a second. For t around 1 : 04 = 64 seconds the left most digit increases 
by 1 with probability very close to 1. 


2.2 OTP at time intervals t within [1 : 04+, 2 : 07+) 

When the pressing at time steps within [1 : 04+, 2 : 07+) the first digit of the combination increases 
by 1 or 2 and the pattern changes every second as above.Tables HT)lP?51 represent 6-digit combinations 
after pressing at time steps t, where t = 1 : 04+, 1 : 21+, 1 : 22+, 1 : 54+, 2 : 07+. The combinations 
may be split into the intervals. In Tables 1191201211 the interval ends each time when the left most 
digits increases by 2 modulo 10. In Tables [221231 the interval ends each time when the left most 
digits increases by 1 modulo 10. For t = 1 : 21+ the pattern includes intervals of length 3 and 4. For 
t = 1 : 22+ there are intervals of length 3 and 4 again, but the pattern is different. In particular, the 
intervals of length 3 appear more often than the intervals of length 4. The pattern for t = 1 : 54+ 
is very similar to the pattern for t = 0 : 50+ with changing 0,1 by 1, 2. 


2.3 Pattern in General 

Based on the experiments with the time steps t within [0 : 50+, 1 : 03+) and within [1 : 04+, 2 : 
07+), and by extrapolating to any time interval we conclude the following. 

1. The smallest time interval used in the measurements and the computations by DIGIPASS and 
the server is a second. 

2. For (1 : 04) x A < t < (1 : 04) x (A + 1) the first digit of the combination increases by A or 
A + 1 modulo 10. Each such interval incorporates 64 seconds and is equivalently represented as 

[64 x A,64x (A + l)). (1) 

Within © the pattern only includes digits A, A + 1 modulo 10 and is changing when t is 
changing every second. 

3. The patterns are similar for time shifts equal to a multiple of 64 seconds. In other words, the 
patterns are similar for time steps t and t + 64 seconds after substituting A,A+ 1 by A + l, A + 2 
respectively for any t. 

4. Assume an OTP was generated and the next OTP was generated in t seconds. The first digit 
of the combination may increase by A modulo 10 only if 


t £ [64 x (A — 1), 64 x (A + 1)). 


(2) 







5. The first digit likely increases by A — 1 modulo 10 in the beginning of the time interval (|!Zjl. 
by A + 1 modulo 10 in the end. In the middle it mostly increases by A modulo 10. So if t is 
about 64 A seconds, the left most digit increases by A modulo 10 with probability close to 1. 
By symmetry, the probability of getting an increase by A modulo 10 within the interval (© is 
1 / 2 . 

Those observations are supported by experiments with random time steps in Table Q] and the time 
step 10 : 46 in Tabic EH 


2.4 Synchronising Function 

Let (to, cio) be some initial values. Let (U,ai), i = 1,2,... be the sequence of tuples, where ti is the 
time when an OTP was generated and a,; is its left most digit. We claim there is a function f(ti, t k ) 
such that for any l > k > 0 

1- f{UAk) G {hik - 1 ,h ik }, where h tk - 1 < < h ik , 

2. ai - a k = f{ti,t-k) mod 10, 

3. and 

i -1 

= ^2f(t i+ i,ti). (3) 

i=k 

Though the function / may also depend on some other parameters, that does not affect our conclu¬ 
sions. The value of f(ti,t k ) represents the number of ’’time steps” between ti and t k and is similar 
to the time step function used in the well-known time-based OTP algorithm described in Sect. [5] 
However in contrast, f(ti,tk) nray have two values according to property 1 of /. 

For example, the following Table [1] data was produced by pressing the token for 20 random time 
intervals ti — ti-\ within 1 and 10 minutes or so. The 4-th column of the table presents integers 
h — 1, h such that h — 1 < < h, where ti — ti -1 was transformed into seconds. The 5-th 

column presents the pattern of the sequence of 6-digit combinations. The 6-th column gives the 
value of f(ti,ti- 1 ) G {h — 1, h} according to the definition above. 

Let us compute /(tiijts). As in — t 5 = 30 : 27 = 1827 seconds, we have 28 < * 11 6 ^* 5 < 29. By 
©, we compute /(in, is) = 5 + 1 + 3 + 9 + 7 + 4 = 29 and see that an — as = /(in, is) mod 10. 
Therefore all the properties in the definition of / are satisfied for /(in, is). Similarly, one computes 
/(i;,ifc) for any other ti,tk in Tableland in any other table of this paper and checks it always 
satisfies the definition. 

2.5 How does the token generate an OTP 

In this section we reconstruct the way how an OTP is generated by the token. Let io be some initial 
moment of time and Aq an initial value. Let U-i be the time of generating the (z — l)-th OTP and 
let Ai -1 be an auxiliary integer number. Both and Ai-\ are kept by the token before the next 
pair is computed. The next OTP a,i,Xi is generated at time £,,* > 1 by 

Ai = Ai -1 + f(ti, ti- 1), 

at = Ai mod 10, 

Xi = E K (Ai), 





Table 1 . 6-digit combinations at random time intervals 


i 

comb. 

ti ti— i 

ti—ti — i 

64 

a-i — ai -1 mod 10 

f {ti i ti — l) 

0 

565201 





1 

057045 

6:00 

5,6 

5 

5 

2 

031320 

10:01 

9,10 

0 

10 

3 

317587 

3:11 

2,3 

3 

3 

4 

291277 

10:05 

9,10 

9 

9 

5 

433132 

2:15 

2,3 

2 

2 

6 

911213 

5:08 

4,5 

5 

5 

7 

041125 

1:17 

1,2 

1 

1 

8 

319430 

2:26 

2,3 

3 

3 

9 

253057 

10:16 

9,10 

9 

9 

10 

987234 

7:31 

7,8 

7 

7 

11 

398564 

3:49 

3,4 

4 

4 

12 

070423 

7:32 

7,8 

7 

7 

13 

216702 

1:43 

1,2 

2 

2 

14 

542368 

3:29 

3,4 

3 

3 

15 

914109 

4:35 

4,5 

4 

4 

16 

293821 

3:28 

3,4 

3 

3 

17 

348346 

1:05 

1,2 

1 

1 

18 

913123 

5:39 

5,6 

6 

6 

19 

611331 

8:10 

7,8 

7 

7 

20 

501416 

9:37 

9,10 

9 

9 


where at is the OTP left most digit and Xi is a 5-digit combination, 6 digits overall. The function Ek 
is based on an encryption algorithm and depends on a secrete key. By induction and the property 
of / in Sect. 12.41 

Ai = Ai_i + i) = Aq + f{ti- 1 A 0 ) + l) = Aq + f(ti,to). (4) 

The algorithm above is similar to one described in Sect. 0 where the number of time steps is a 
steadily increasing function: it increases by 1 after each fixed time interval. In contrast, /(ti,to) 
may have two values for f, within the same time interval of 64 seconds, see Sect. 12.41 

The algorithm fits well with the properties of DIGIPASS G03 found in Sect. [2] In particular, 
if 1 ) = 0, then Ai = Ai -1 and the whole OTP repeats. The latter is only possible for 

ti — U -1 < 64 seconds by the definition of /. Also the algorithm explains why the token may be 
pressed any number of times without authentication and the authentication still works after, see 
the next Sect. 12.61 for details. 

2.6 How does the verifier check the OTP 

In what follows we reconstruct the server (verifier) action in authentication. When a customer logs 
in he introduces his identifier and static passwords into a pop up window on the monitor of his 
computer. He then presses the DIGIPASS, reads an OTP, introduces that into another pop up 
window and hits the return key. When verifying the server is to solve the following three problems. 

1. Handle the delay between generating the OTP and when the server gets it for authentication. 










2. Check if the OTP was produced by the token assigned to that customer. 

3. Assume a customer generates several OTPs without log in. The server should be able to au¬ 
thenticate that customer with the same token later. 


Handling a delay. Let t be the time of generating an OTP and t' the time it comes to the 
server for authentication. There should be an acceptable delay time interval t' — t < T. We found 
T is 480 seconds by the following experiment. An OTP was generated and then introduced to the 
system with a delay of t" and the server reaction was observed. The results are in Table [2] In this 
experiment T is 8 minutes, that is 480 seconds. Interestingly, after the OTP was introduced with a 
delay of 7 : 59+ and accepted, the synchronisation between the DIGIPASS and the server got lost. 
A new token had to be used. 


Table 2. Delay handling at the verifier 


t" 

12:40+ 

10:00+ 

9:11+ 

8:00+ 

7:59+ 

7:04+ 

6:02+ 

5:06+ 

status 

reject 

reject 

reject 

reject 

accept 

accept 

accept 

accept 


Defining the value of f within the delay. Let to be an initial time and Aq an initial integer 
number, both are available for the prover and the verifier. Let t be the time when the OTP a, X 
was generated. Let t' be the time when it comes to the server for verification. We show the server 
is able to recover /(t,t 0 ) if t' — t < 480 seconds. Really, let t' belong to the interval 


B — 1 < 


t' -t 0 
64 


< B 


for some B. Therefore if t' — t < 480 seconds, then 


(5) 


B — 9 < 


t - 1 0 
64 


< B. 


( 6 ) 


So 


/(t, to) € {B — 9,..., B — 1, B} 


by the definition of /. As /(t, to) = a — Aq mod 10, the server finds 


/(Mo) = A- A 0 . 


Simultaneously, the verifier learns an interval of at most 128 seconds for t: 


(fit, t 0 ) - 1) 64 < t - t 0 < (/(t, t 0 ) + 1) 64. 


Moreover it is likely that 


/(Mo) 64 +t 0 


( 7 ) 


seconds by property 5 in Sect. 12.31 














Verification protocol In this description we skip the verification of the customer’s static pass¬ 
words. Let t be the moment of time when the token generates a new OTP a, X and t' be the moment 
of time when it comes for verification. The following protocol authenticates the token. 

1. Compute B by (0. 

2. Find f(t,t 0 ) = A — A 0 from dTJ) and therefore A. 

3. Compute 

X' = E K (A) 

and check if X = X'. If equality, then the OTP is accepted, otherwise rejected. 

By the properties of / and by Q, A only depends on Ao,t o and t. So the customer may press the 
token any number of times without log in and that won’t affect the next authentication. 


2.7 Last 5 digits distribution 


Let 


abcdef 


be a 6-digit combinations produced by DIGIPASS G03. According to the analysis in previous 
sections, the first digit a is used for synchronisation. We study the distribution of the other digits 
6, c, d, e, / taken separately. There are 814 OTPs without repetitions in all the tables of this article. 
We count the number of times a decimal digit appears in each of the last five positions in those OTPs. 
The data is collected in Table [3] where the positions are denoted by b,c,d,e,f. The distributions 


Table 3. The experimental digit distribution in the last 5 positions 



0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

b 

102 

92 

94 

109 

102 

105 

53 

59 

48 

50 

c 

96 

108 

96 

107 

115 

80 

61 

52 

45 

54 

d 

101 

121 

109 

94 

98 

103 

51 

49 

47 

41 

e 

108 

100 

108 

93 

110 

97 

53 

56 

45 

44 

f 

97 

110 

110 

108 

100 

83 

51 

57 

54 

44 


are not uniform. The digits 0,1,2, 3,4, 5 appear twice more often on the average than 6, 7,8, 9. 
Our explanation is the following. The last 5 digits are produced from a 20-bit string of pseudo¬ 
random data. One decimal digit per each subsequent 4-bit string. The latter represents a number 
from {0,1,..., 15} and therefore a decimal digit after reduction modulo 10. As 4-bit strings are 
distributed uniformly, the distribution of decimal digits is as 0,1, 2,3,4, 5 have probability 1/8 and 
6, 7,8, 9 have probability 1/16. That fits well with the experimental Table [3] data. 

3 Basic Attack 

We may assume customer’s static passwords are known to the adversary. In what follows a basic 
algorithm to forge the dynamic password generated by a DIGIPASS is presented and the probability 
of success is calculated. Let t' be the time the latest OTP generated by the customer came for 
authentication, it may be known to the adversary or guessed as well. 


















1. Take random a mod 10. 

2. Generate 5 random digits 

b,c,d,e,f € {0,1,2,3,4,5}. 

Put X = bcde /. 

3. Introduce the forged OTP a,X. 

To avoid possible security checks at the verifier, one may supply the forged OTP at time > t' + 64 
seconds or so for instance. In order to authenticate the server constructs a value A such that A = a 
mod 10, computes X' = Ek(A) and matches X and X'. 

According to Sect. 12.71 the probability X = X' is 8 -5 . The probability p(x) of the attack success 
in case of x independent attempts to log in is 


PW = 1 - (i - 4) 


3.1 One customer is targeted 

When the customer finishes his session of authentications, the adversary communicates with the 
server by introducing the customer’s identifier and his static password and tries to start a new session 
of authentications with forged OTP according to the algorithm in Section [3] Also there might be 
a possibility for the adversary to forge the OTP during the session started by the customer. If not 
there should be a possibility for him to interrupt the customer’s session and then try to start a 
new session with a forged OTP. Therefore we assume the adversary is able to start forging the 
customer’s authentication after each finished authentication by the customer. 

For instance, in Norwegian Sparebanken Vest, see Sect. HI each transaction requires an authen¬ 
tication. Let a customer use the remote authentication once per month to accomplish 10 authenti¬ 
cations, e.g., to start a new session and to pay 9 bills. Therefore the number of forged attempts to 
authenticate is about 120 r during a year per customer, where r is the number of allowed attempts 
of authentication. In Sparebanken Vest r = 3. So the attack success probability applied during 
a year is then p(120r). If the attacker wants the attack to go unveiled he should wait for a new 
authentication by the customer to start a series of r — 1 attempt forged authentication. The success 
probability is then p(120(r — 1)) for one year. 


Table 4. The success probability during a year 


r 

1 

2 

3 

4 

5 

6 

p (120 r) 

0.0036 

0.0072 

0.0109 

0.0145 

0.0181 

0.0217 


3.2 Many customers are targeted 

Let N customers use the remote authentication to accomplish 10 authentications per month on the 
average, that is 120 authentications per year. The average number of successful forged authentica¬ 
tions is then about Np(120r) during one year. The attack may be automated. If it works against 










one customer that should work against N = 10 6 or so of them. For r = 3 we have 

Np(120 x 3) « N x 0.010926 

of customer’s accounts will get compromised on the average. If N = 10 6 then the number of 
compromised accounts is around 10926 during one year. For N = 10 4 the number of compromised 
accounts during one year is around 109. 

4 Authentication in a Norwegian Bank 

There are 3 ways for a customer in Norwegian Sparebanken Vest to authenticate himself and get 
access to his account for internet banking. They are 

1. ” BanklD-innlogging” requires the social security number, BankID password of the customer’s 
choice and a one-time password from DIGIPASS G03. 

2. ’’BankID pa rnobil” requires the social security number, PIN-code and a mobile phone with a 
BankID certificate on that. 

3. ’’Alternativ innlogging” requires the social security number, internet banking password of the 
customer’s choice and a one-time password generated by DIGIPASS G03 or read from a one¬ 
time password card. 

Two of the three authentication protocols require a one-time password generator. 

5 Published One-Time Password Algorithms 

Two One-Time Password(OTP) algorithms are published in |2I3| . The first HMAC-based One- 
Time Password (HOTP) algorithm specifies event-based OTP algorithm. The other(TOTP) is en 
extension of the HOTP algorithm to support the time-based moving factor. We briefly describe the 
latter. The prover( token) and the verifier(authentication server) use the same time-step value X. 
There must be a unique secret key K for each prover. Therefore, 

TOTP=HOTP (K,T) = Truncate(HMAC(”crypto”, K, T)), (8) 

where T is an integer number which represents the number of time steps between the initial counter 
time To and the current Unix time. More specifically, 

T = [(Current Unix Time — To)/XJ. 

The server should compare OTP not only with the receiving time-stamps but also the past time- 
stamps that are within a transition delay window, specified by the protocol. The function ’’Truncate” 
is specified in [2] for HMAC-SHA-1 as ’’crypto” in ©. 
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6 Appendices 


Table 5. 6-digit combinations at 0 : 50-1- 


comb. 



7 

818140 

1 


15 

475446 

1 




240445 



8 

943630 

1 


16 

534182 

1 


23 

141253 

1 

302168 

1 


9 

943630 

0 


17 

621339 

1 


24 

141253 

0 

498773 

1 


10 

091211 

1 


18 

747108 

1 


25 

251821 

1 

591327 

1 


11 

147884 

1 


19 

747108 

0 


26 

370755 

1 

642055 

1 


12 

220372 

1 


20 

829372 

1 


27 

455412 

1 

642055 

0 


13 

388126 

1 


21 

904089 

1 


28 

455412 

0 

773743 

1 


14 

388126 

0 


22 

012530 

1 





Table 6. 6-digit combinations at 0 : 51-1- 


i 

comb. 


0 

613525 


1 

770281 

1 

2 

813348 

1 

3 

900173 

1 

4 

061082 

1 

5 

061082 

0 

6 

140542 

1 

7 

214421 

1 

8 

330592 

1 

9 

446002 

1 

10 

446002 

0 

11 

577502 

1 

12 

660042 

1 

13 

711359 

1 

14 

873243 

1 

15 

873243 

0 

16 

953483 

1 

17 

081487 

1 

18 

127404 

1 

19 

252525 

1 

20 

252525 

0 


21 

319740 

u 


42 

062056 

i 

22 

431246 

1 


43 

130310 

1 

23 

544489 

1 


44 

207562 

1 

24 

684950 

1 


45 

377484 

1 

25 

751093 

1 


46 

377484 

0 

26 

751093 

0 


47 

405446 

1 

27 

843031 

i 


48 

510028 

1 

28 

953144 

i 


49 

655673 

1 

29 

091433 

i 


50 

722642 

1 

30 

102531 

i 


51 

869254 

1 

31 

102531 

0 


52 

869254 

0 

32 

265373 

i 


53 

930220 

1 

33 

344032 

i 


54 

009236 

1 

34 

413491 

i 


55 

131738 

1 

35 

520503 

i 


56 

292465 

1 

36 

520503 

0 


57 

292465 

0 

37 

659320 

1 


58 

325694 

1 

38 

755504 

1 


59 

444324 

1 

39 

834672 

1 


60 

546511 

1 

40 

956211 

1 


61 

627135 

1 

41 

956211 

0 


62 

627135 

0 


63 

756821 

0 

64 

813067 

1 

65 

915018 

1 

66 

000513 

1 

67 

000513 

0 

68 

123010 

i 

69 

230168 

i 

70 

336542 

i 

71 

444814 

i 

72 

444814 

0 

73 

524691 

1 

74 

672561 

1 

75 

774225 

1 

76 

804713 

1 

77 

804713 

0 

78 

906800 

1 

79 

099042 

1 

80 

158124 

1 

81 

211271 

1 

82 

343838 

1 

83 

343838 

0 


Table 7. 6-digit combinations at 0 : 52+ 


1 

comb. 


0 

736910 


1 

826434 

1 

2 

938934 

1 

3 

092613 

1 

4 

114863 

1 

5 

114863 

0 

6 

242575 

1 

7 

310480 

1 


8 

407177 

1 


17 

142656 

1 

9 

529021 

1 


18 

205424 

1 

10 

690643 

1 


19 

344929 

1 

11 

690643 

0 


20 

449877 

1 

12 

725702 

1 


21 

588742 

1 

13 

835136 

1 


22 

588742 

0 

14 

911041 

1 


23 

654000 

1 

15 

065804 

1 


24 

731026 

1 

16 

065804 

0 


25 

852133 

1 


to 

o 

951011 

pq 

27 

951011 

0 

28 

092344 

1 

29 

103750 

1 

30 

273100 

1 

31 

325527 

1 

32 

446575 

1 

CO 

CO 

446575 

0 






















Table 8. 6-digit combinations at 0 : 53+ 



comb. 


543141 

632547 

750122 

820133 

971984 

023743 

023743 

123658 

213661 


304190 

402721 

584269 

584269 

693419 

781459 

873255 

909506 

034130 

034130 


19 

146039 

20 

212926 

21 

324996 

22 

412623 

23 

518153 

24 

518153 

25 

696243 

26 

703153 

27 

807928 


28 

913106 

29 

024819 

30 

024819 

31 

103301 

32 

261544 

33 

367120 

34 

488616 

35 

534404 

36 

683124 


683124 



Table 9. 6-digit combinations at 0 : 54+ 



comb. 


460553 

522574 

605910 

708033 

891210 

982543 

019508 

019508 


8 128426 

9 273175 
325114 
428472 
548721 
685321 
685321 
744745 
893417 


17 930741 

18 015819 

19 145630 

20 145630 

21 210016 

22 305020 

23 422742 

24 533817 

25 643375 


26 

714284 

27 

714284 

28 

817215 

29 

950261 

30 

070143 

31 

156623 

32 

209504 

33 

311863 

34 

311863 



Table 10. 6-digit combinations at 0 : 55+ 



comb. 


041004 

129955 

236319 

373335 

483103 

591790 

615196 


615196 
756362 
9 890229 

10 932420 

11 051043 

12 130620 

13 251594 

14 320845 


15 320845 

16 424153 

17 589022 

18 640131 

19 784457 

20 820301 

21 900508 

22 900508 


23 063637 

24 172283 

25 215258 

26 324114 

27 440322 

28 511341 

29 649452 

30 649452 



Table 11. 6-digit combinations at 0 : 56+ 













































Table 12. 6-digit combinations at 0 : 57-1- 


m 

comb. 



14 

041825 

1 


29 

302724 


0 

742005 



15 

119034 

1 


30 

437411 


1 

801269 

1 


16 

201337 

1 


31 

510241 


2 

906986 



17 

305590 

1 


32 

682113 


3 

026145 



18 

452553 

1 


33 

752402 


4 

152120 



19 

452553 

0 


34 

812812 


5 

273223 



20 

546102 

1 


35 

914573 


6 

369351 



21 

617949 



36 

069241 


7 

454726 



22 

794572 



37 

133169 

1 

8 

572390 



23 

806460 



38 

133169 

0 

9 

572390 



24 

904205 



39 

287604 

1 

10 

606452 

1 


25 

042962 



40 

344041 

1 

11 

741415 

1 


26 

172347 



41 

409260 

1 

12 

830660 

1 


27 

234253 



42 

536335 

1 

13 

956443 

1 


28 

234253 



43 

673364 

1 


44 

754503 

1 

45 

859096 

1 

46 

915222 

1 

47 

044338 

1 

48 

044338 

0 

49 

165276 

1 

50 

262014 


51 

304038 


52 

409315 


53 

504916 


54 

642188 


55 

756278 


56 

807203 


57 

807203 



Table 13. 6-digit combinations at 0 : 58-1- 


1 

comb. 


0 

710424 


1 

832534 

1 

2 

954513 

1 

3 

051144 

1 

4 

144831 

1 

5 

225274 

1 


6 

331435 

1 

■ 

13 

941303 

1 

7 

430511 

1 


14 

044900 

1 

8 

574450 

1 


15 

194233 

1 

9 

646207 

1 


16 

215335 

1 

10 

762324 

1 


17 

381041 

1 

11 

762324 

0 


18 

450269 

1 

12 

811080 

1 

1 

19 

524832 

1 


to 

o 

611601 

Q 

21 

714464 

B 

22 

876142 


23 

876142 



Table 14. 6-digit combinations at 0 : 59+ 


1 

comb. 




171118 

1 


21 

109515 

1 


32 

108404 

0 

132935 



11 

231314 

1 


22 

266521 

1 


33 

275774 

i 

279542 

1 


12 

343154 

1 


23 

344521 

1 


34 

353233 

2 

344200 



13 

421393 

1 


24 

456243 

1 


35 

404253 

3 

413388 



14 

421393 

0 


25 

557915 

1 


36 

578471 

4 

578023 



15 

553101 

1 


26 

612537 

1 


37 

646855 

5 

085158 



16 

635170 

1 


27 

786251 

1 


38 

712803 


731544 



17 

759238 

1 


28 

786251 

0 


39 

849321 

7 

815031 



18 

815107 

1 


29 

836131 

1 


40 

921401 

8 

945111 



19 

965207 

1 


30 

957731 

1 


41 

061879 

9 

064830 




000298 

1 


31 

051304 

1 


42 

061879 










































Table 15. 6-digit combinations at 1 : 00+ 


1 

comb. 



6 

323641 



13 

940556 

1 


20 

693002 

0 

724454 



7 

454143 



14 

335577 

0 


21 

711011 

1 

861432 

1 


8 

454143 



15 

162684 

1 


22 

843759 

2 

907425 

1 


9 

580265 



16 

285611 

1 


23 

959331 

3 

033217 

1 


10 

648310 



17 

391576 

1 


24 

019107 

4 

126058 

1 


11 

752930 



18 

422613 

1 


25 

192847 

5 

235589 

1 


12 

864301 



19 

558204 

1 


26 

192847 


Table 16. 6-digit combinations at 

1 

: 01+ 

E 

comb. 



13 

133123 



27 

440132 








41 

42 

43 

44 

45 

46 

47 

48 

49 

50 

51 

52 

53 

841782 

954933 

028616 

157851 

253403 

316240 

453212 

533493 

610200 

754655 

840223 

944388 

944388 

0 

803133 



14 

243252 



28 

509292 



i 

922672 

1 


15 

327112 



29 

680841 



2 

062016 



16 

464543 



30 

750414 



3 

141753 



17 

573035 



31 

860648 



4 

276554 



18 

665709 



32 

986760 



5 

315994 



19 

731074 



33 

034146 



6 

401737 



20 

895420 



34 

184532 



7 

590233 



21 

973368 



35 

221552 



8 

634440 



22 

065620 



36 

348100 



9 

746417 



23 

181246 



37 

405404 



I 

844471 



24 

232721 



38 

527308 



11 

927342 



25 

304903 



39 

641451 



12 

023403 



26 

440132 



40 

707232 




Table 17. 6-digit combinations at 1 : 02+ 










































Table 18. 6-digit combinations at 1 : 03-1- 


E 

comb. 


0 

197308 


1 

229653 

1 

2 

314183 

1 

3 

314183 

0 

4 

472242 

i 

5 

548311 


6 

653232 


7 

751238 


8 

853136 


9 

994925 


10 

003939 


11 

136055 


12 

242150 


13 

377020 


14 

433284 


15 

589263 


16 

697642 



17 

736565 


18 

877010 


19 

932921 



001830 


21 

117801 


22 

233531 


23 

390642 


24 

414560 


25 

519185 


26 

623444 


27 

726137 


28 

815144 


29 

913133 


30 

050445 


31 

154051 


32 

205540 


33 

371497 


34 

428420 



35 

562882 

1 

36 

696411 

1 

37 

793512 

1 

38 

856523 

1 

39 

954494 

1 

40 

001432 

1 

41 

159710 

1 

42 

253131 

1 

43 

343330 

1 

44 

453233 

1 

45 

564870 

1 

46 

604627 

1 

47 

775411 

1 

48 

842291 

1 

49 

967451 

1 

50 

005706 

1 

51 

102313 

1 

52 

240554 

1 


Table 19. 6-digit combinations at 


E 

comb. 



16 

803105 



33 

834055 


0 

269612 



17 

964970 



34 

952044 


i 

352122 

1 


18 

085128 



35 

006042 


2 

430378 



19 

149115 



36 

114194 


3 

501426 




202403 



37 

200429 


4 

624726 



21 

393555 



38 

332250 


5 

770000 



22 

434318 



39 

434921 


6 

858070 



23 

544247 



40 

541209 


7 

954795 



24 

900020 



41 

628292 


8 

054725 



25 

075758 



42 

721117 


9 

101035 



26 

131647 



43 

845051 


10 

215597 



27 

236059 



44 

922050 


11 

324103 



28 

361743 



45 

024254 


12 

431417 



29 

487607 



46 

189460 


13 

566145 



30 

550510 



47 

203522 


14 

624507 



31 

640136 



48 

333231 


15 

744115 



32 

788015 



49 

432931 



53 354324 

54 450806 

55 551977 

56 682610 

57 710400 

58 830638 

59 963248 

60 059241 

61 110925 

62 217217 

63 344198 

64 407524 

65 552941 

66 631306 

67 764802 

68 880970 

69 921905 

70 063039 


: 04+ 


50 525517 

51 632156 

52 701365 

53 823442 

54 967919 

55 057862 

56 117521 

57 234149 

58 315074 

59 452005 

60 530501 

61 633500 

62 720237 

63 898292 

64 906445 

65 155602 

































Table 20. 6-digit combinations at 1 : 21+ 




comb. 


729021 

862954 

984329 

027332 

283083 

354734 

430327 

620593 

732308 

830515 


988222 

124510 

201595 

320271 

444368 

648544 

730542 

888677 

011941 

135073 

272046 


21 334242 

22 530457 

23 672523 

24 739122 

25 904289 

26 066584 

27 126007 

28 252851 

29 426375 

30 522133 

31 602702 



Table 21. 6-digit combinations at 1 : 22+ 



comb. 


0 373763 

1 406375 

2 533966 

3 704802 

4 875121 

5 927450 

6 032654 

7 299538 

8 325157 

9 441409 
650483 
717743 
883525 


13 965143 

14 112015 

15 237007 

16 331278 

17 515093 

18 640216 

19 751552 

20 858301 

21 015311 

22 126288 

23 200451 

24 421201 

25 593095 

26 635180 


841140 
992450 

29 081502 

30 102493 

31 312450 

32 439123 

33 516114 

34 772509 

35 864425 

36 963344 

37 073140 

38 209594 

39 336225 

40 443141 



Table 22. 6-digit combinations at 1 : 54+ 


















































Table 


i comb. 

0 273335 " 

1 483158 2 

2 641051 2 

3 803836 2 


23. 6-digit combinations at 


4 

000508 

1 

| 

■ 

9 

000822 

2 

5 

296752 

■ 


10 

114160 

1 

6 

431516 

| 


11 

379050 

2 

7 

643494 

| 


12 

571410 

2 

8 

833238 


1 

13 

781454 

2 


2 : 07+ 


14 900609 

15 154812 

16 303585 

17 529381 


Table 24. 6-digit combinations at 10 : 46+ 




























